Squid Vulnerability: Insecure forwarding of proxy_auth

Advisories

Discover Server Security News

Squid Vulnerability: Insecure forwarding of proxy_auth

32.Lock Code Circular

Vendors have not issued updates yet for a vulnerability just reported by the Squid Project. "Under some conditions Squid may forward the proxy authentication credentails. This can happen if you normally require your users to log in to use the proxy, but allow some sites to be reached without needing to log in.". . .

Vendors have not issued updates yet for a vulnerability just reported by the Squid Project. "Under some conditions Squid may forward the proxy authentication credentails. This can happen if you normally require your users to log in to use the proxy, but allow some sites to be reached without needing to log in."

synopsis under some conditions Squid may forward the proxy authentication credentails. This can happen if you normally require your users to log in to use the proxy, but allow some sites to be reached without needing to log in.

This patch restricts such forwarding to only your configured cache_peers. If you need to further control the credentials forwarding then upgrading to Squid-2.5 is recommended as the forwarding is controlled per cache_peer in Squid-2.5 and later.

versions 2.4.STABLE6 and earlier
platforms All
reported by Hernan Otero
configuration if a mixture of proxy authentication and sites not requiring authentication is used.
patch squid-2.4.STABLE6-proxy_auth.patch
workaround If you use proxy authentication, make sure to use it on all requests. Do not allow access to some sites without the need to log in.

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.